Samba4/LDAP Backend/Replication With Fedora DS

Revision as of 19:51, 14 August 2009 by Edewata (talk | contribs) (Starting Samba Replica)


This page describes how to setup Samba 4 replica with Fedora DS 1.2 on Fedora Core 10. Instruction for setting up Samba 4 master is available here.

This document assumes the following environment:

  • Domain name:
  • Samba master:
  • Samba replica:


Follow this page to install Samba and Fedora DS on the replica.


Create /usr/local/samba/etc/smb.conf for the replica:

        netbios name    = samba2

See also this page.

Provisioning Fedora DS

Fix the schema problem as described in this page .

Setup Fedora DS instance for the replica:

% cd $SRC_DIR/samba/source4
% setup/provision-backend \
--realm=EXAMPLE.COM \
--domain=EXAMPLE \
--server-role='domain controller' \
--ldap-admin-pass=Secret123 \

Edit /usr/local/samba/private/ldap/fedorads.inf:

FullMachineName         =
SuiteSpotUserID         = nobody
SuiteSpotGroup          = nobody
ServerRoot              = /usr/local/samba/private/ldap

ConfigDirectoryLdapURL  = ldap://
ConfigDirectoryAdminID  = admin
ConfigDirectoryAdminPwd = Secret123

AdminDomain             =

ServerPort              = 390
ServerIdentifier        = samba4
Suffix                  = DC=example,DC=com

RootDN                  = cn=Directory Manager
RootDNPwd               = Secret123

ldapifilepath           = /usr/local/samba/private/ldap/ldapi

start_server            = 0
install_full_schema     = 0

SchemaFile              = /usr/local/samba/private/ldap/99_ad.ldif
ConfigFile              = /usr/local/samba/private/ldap/fedorads-partitions.ldif

inst_dir                = /usr/local/samba/private/ldap/slapd-samba4
config_dir              = /usr/local/samba/private/ldap/slapd-samba4
schema_dir              = /usr/local/samba/private/ldap/slapd-samba4/schema
lock_dir                = /usr/local/samba/private/ldap/slapd-samba4/lock
log_dir                 = /usr/local/samba/private/ldap/slapd-samba4/logs
run_dir                 = /usr/local/samba/private/ldap/slapd-samba4/logs
db_dir                  = /usr/local/samba/private/ldap/slapd-samba4/db
bak_dir                 = /usr/local/samba/private/ldap/slapd-samba4/bak
tmp_dir                 = /usr/local/samba/private/ldap/slapd-samba4/tmp
ldif_dir                = /usr/local/samba/private/ldap/slapd-samba4/ldif
cert_dir                = /usr/local/samba/private/ldap/slapd-samba4

Execute the following command:

% cd $INSTALL_DIR/private/ldap
% /usr/sbin/ --file=fedorads.inf

Currently the script doesn't read all of the above parameters properly so you have to re-enter it.

Starting Fedora DS

Start the Fedora DS replica.

% cd $INSTALL_DIR/private/ldap
% slapd-samba/start-slapd

Configuring Multi-Master Replication

Samba uses 3 databases in Fedora DS. They require separate replication agreements.

Download script to configure replication:

% \
--host1 --host2 --port 390 \
--host1_id 1 --host2_id 2 \
--binddn 'cn=Directory Manager' \
--bindpw Secret123 \
--repmanpw Secret123 \
--base dc=example,dc=com \

% \
--host1 --host2 --port 390 \
--host1_id 1 --host2_id 2 \
--binddn 'cn=Directory Manager' \
--bindpw Secret123 \
--repmanpw Secret123 \
--base cn=Configuration,dc=example,dc=com \

% \
--host1 --host2 --port 390 \
--host1_id 1 --host2_id 2 \
--binddn 'cn=Directory Manager' \
--bindpw Secret123 \
--repmanpw Secret123 \
--base cn=Schema,cn=Configuration,dc=example,dc=com \

Provisioning Samba

Execute the following on the replica:

% cd $SRC_DIR/samba/source4
% setup/provision --realm=EXAMPLE.COM --domain=EXAMPLE \
--adminpass=Secret123 \
--ldap-backend-type=fedora-ds \
--ldap-backend=ldapi:///usr/local/samba/private/ldap/ldapi \
Server Role:    domain controller
Hostname:       samba2
DNS Domain:
DOMAIN SID:     S-1-5-21-3010954269-3145692404-1112636010
Admin password: Secret123

Joining Samba Domain

The DNS must be configured before joining the replica to the domain. See also this page.

Execute this on the replica:

% cd $INSTALL_DIR/bin
% ./net join EXAMPLE BDC -U Administrator --password=Secret123
Joined domain EXAMPLE (S-1-5-21-1030068324-2126043060-2085863383)

Generate UUID:

% /usr/bin/uuidgen

Create a file containing the following entry:

dn: CN=NTDS Settings,CN=SAMBA2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
objectClass: top
objectClass: applicationSettings
objectClass: nTDSDSA
cn: NTDS Settings
options: 1
showInAdvancedViewOnly: TRUE
systemFlags: 33554432
dMDLocation: CN=Schema,CN=Configuration,DC=example,DC=com
invocationId: <UUID>
msDS-Behavior-Version: 2

Add the entry to Samba master:

% cd $INSTALL_DIR/bin
% ./ldbadd -H ldap:// -p -U Administrator --password=Secret123 <file>

Starting Samba Replica

Execute this on the replica:

% cd $INSTALL_DIR/sbin
% ./samba -i -M single -d 3

Configuring DNS

The DNS needs to be configured such that it points to both master and replica. See this page.


SID Allocation

SID is currently allocated by incrementing the nextRid attribute in the domain object which is replicated across Fedora DS instance. This could cause a problem if new users/groups are added to multiple Samba instances simultaneously. This issue will be fixed soon by using the DNA Plugin.